#apt37

A North Korean group is luring South Korean academics and officials with booby-trapped documents that secretly install ROKRAT malware to steal files, take screenshots, and spy through cloud services.

Source: Seqrite

The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCall to likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, this supply chain attack has enabled the threat actors to also target Android devices, essentially turning it into a multi-platform threat.

The Target: sqgamenet

The campaign has singled out sqgamenet, a gaming platform used by ethnic Koreans living in the Yanbian region in China, bordering North Korea and Russia. This region is also known to act as a primary, high-risk transit point for North Korean defectors crossing the Tumen River.

The targeting of this platform is a deliberate strategy given ScarCruft's storied history of targeting:

- North Korean defectors - Human rights activists - University professors - Individuals with connections to both North and South Korea

Filip Jurčacko, senior malware researcher at ESET, told The Hacker News that the campaign was discovered in October 2025, adding that the trojanized Android games are still available for download on the sqgamenet website as of the time of disclosure.

The Attack: Supply Chain Compromise

"In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor," ESET said in a report shared ahead of publication.

Android Infection Vector

The supply chain attack poisoned the Android APKs available for download from the platform. Specifically, the download pages for two Android games hosted on sqgamenet were altered to serve malicious APKs:

- sqgame.com.cn/ybht.apk - sqgame.com.cn/sqybhs.apk

Interestingly, the attack only poisoned the Android APKs, leaving the Windows desktop client and iOS games intact—at least initially.

Windows Infection Vector

Evidence emerged that an update package of the Windows desktop client delivered a trojanized DLL since at least November 2024 for an unspecified period. The update package is no longer malicious as of the time of disclosure.

The modified DLL included a downloader that:

- Checks the list of running processes for analysis tools and virtual machine environments (anti-analysis) - Downloads and executes shellcode containing RokRAT if no analysis tools are detected - Uses RokRAT to fetch and install BirdCall on the infected hosts

BirdCall Malware: Advanced Evolution

Windows versions of BirdCall are dubbed an advanced evolution of RokRAT, a backdoor that has been detected in the wild since 2021. Over the years, RokRAT has been adapted to target:

- Windows: Original platform - macOS: CloudMensis variant (2022) - Android: RambleOn variant

This indicates that the malware family continues to be actively maintained and expanded by ScarCruft.

BirdCall Capabilities (Windows)

BirdCall comes fitted with features typically present in a sophisticated backdoor:

- Screenshot capture: Visual surveillance of victim activity - Keystroke logging: Capture of all typed input (credentials, messages) - Clipboard content theft: Monitoring of copied data - Shell command execution: Remote command execution on victim machine - Data gathering: Collection of system information, files, and documents

Like RokRAT, BirdCall relies on legitimate cloud services for command-and-control (C2), including:

- Dropbox - pCloud

This "cloud-based C2" approach makes detection harder, as traffic blends with legitimate cloud service usage.

BirdCall Capabilities (Android)

The Android variant of BirdCall, distributed as part of the sqgamenet supply chain attack, incorporates a subset of its Windows counterpart while collecting:

- Contact lists: Full address book extraction - SMS messages: Read and potentially intercept text messages - Call logs: History of incoming, outgoing, and missed calls - Media files: Photos, videos, audio recordings - Documents: PDFs, Word docs, spreadsheets, etc. - Screenshots: Visual capture of device activity - Ambient audio: Voice recordings from device microphone

An analysis of the malware's lineage has unearthed seven versions, with the first dating back to October 2024. This rapid iteration indicates active development and refinement based on operational feedback.

The Android backdoor also relies on legitimate cloud storage services for C2 communications, including:

- pCloud - Yandex Disk - Zoho WorkDrive (increasingly common in 2026 campaigns)

BirdCall vs. RambleOn: Distinct Families

Despite the fact that BirdCall is built upon the foundations of RokRAT and, by extension, RambleOn, they are fundamentally two disparate malware families.

"They both disguise as legitimate Android apps and use cloud storage services for data exfiltration, but are different backdoors," Jurčacko noted.

Key differences:

- BirdCall: Newer, more modular, actively developed since October 2024 - RambleOn: Older Android variant of RokRAT, different codebase

Both represent ScarCruft's commitment to multi-platform surveillance capabilities.

Deployment Chain: Multi-Stage Infection

"BirdCall is usually deployed in a multistage loading chain, starting with a Ruby or Python script, and containing components encrypted using a computer-specific key," ESET said.

Typical infection flow:

- Stage 1: User downloads trojanized game/APK from sqgamenet - Stage 2: Initial script (Ruby/Python) executes, decrypts payload using machine-specific key - Stage 3: Loader checks for analysis tools/VMs (anti-sandbox) - Stage 4: If clean, downloads RokRAT shellcode - Stage 5: RokRAT fetches and installs BirdCall - Stage 6: BirdCall establishes C2 via cloud services, begins surveillance

This multi-stage approach provides several advantages:

- Evasion: Each stage can be updated independently - Anti-analysis: Machine-specific encryption prevents generic decryption - Flexibility: Different payloads can be delivered to different targets - Persistence: Multiple components ensure survival if one is removed

Why This Matters

The ScarCruft campaign against sqgamenet highlights several critical security challenges:

1. Supply Chain Attacks on Niche Platforms

ScarCruft didn't target a major gaming platform like Steam or Epic Games. They targeted a small, region-specific platform serving ethnic Koreans in Yanbian. This approach offers:

- Lower security: Smaller platforms have fewer security resources - Higher target density: Nearly all users fit the desired demographic - Less scrutiny: Security researchers rarely monitor niche gaming sites - Longer dwell time: Compromises can persist undetected for months or years

This is a recurring pattern in state-sponsored attacks: target the supply chain of a service used exclusively by your intended victims.

2. Multi-Platform Surveillance

By compromising both Windows and Android components, ScarCruft ensures comprehensive surveillance:

- Windows: Desktop activity, documents, work-related data - Android: Mobile communications, location, contacts, real-time audio

Together, these provide a 360-degree view of the target's digital life. The Android variant's ability to record ambient audio is particularly invasive—effectively turning the victim's phone into a bug.

3. Cloud-Based C2 Evasion

Using legitimate cloud services (Dropbox, pCloud, Yandex Disk, Zoho WorkDrive) for C2 communications provides significant operational security benefits:

- Traffic blending: Malicious traffic looks like normal cloud sync - Domain reputation: Cloud service domains are rarely blocked - Resilience: If one service blocks the attacker, others remain available - Geographic flexibility: Cloud services have global infrastructure

Defending against this requires behavioral analysis, not just domain blocking.

4. Targeting Defectors and Activists

ScarCruft's focus on North Korean defectors, human rights activists, and academics is not new—but it's escalating. These groups are:

- High-value: Possess sensitive information about North Korea - Vulnerable: Often lack sophisticated security measures - Symbolic: Targeting sends a message to others considering defection - Politically useful: Intelligence can be used for propaganda or coercion

The Yanbian region's role as a transit point for defectors makes it a strategically critical surveillance target for North Korean intelligence.

Reflection: The Human Cost of Cyber Espionage

The ScarCruft campaign against sqgamenet is not just a technical story—it's a human rights story with profound implications.

1. Cyber Weapons Against Vulnerable Populations

North Korean defectors are among the most vulnerable people on the planet. They have:

- Fled one of the world's most repressive regimes - Often left family members behind in North Korea (hostages in all but name) - Limited resources for digital security - High dependence on community-specific platforms (like sqgamenet)

When a state-sponsored group targets these individuals with sophisticated malware, it's not just espionage—it's intimidation, coercion, and potentially endangerment of family members still in North Korea.

Question: What responsibility do platform operators have to protect vulnerable user bases from state-sponsored attacks?

2. The Gaming Platform as a Weapon

Gaming platforms are typically seen as harmless entertainment. But when compromised, they become perfect attack vectors:

- Users expect to download and install software (no suspicion) - Games often require network access (firewall rules already permissive) - Gaming communities are tight-knit (high trust, low skepticism) - Platform operators may lack security expertise (small teams, limited budgets)

ScarCruft's choice of a gaming platform reflects a broader trend: weaponizing trust. The same principle applies to:

- Religious apps targeting specific faith communities - Language learning apps targeting diaspora populations - News apps targeting political dissidents

Hard truth: Any software serving a specific demographic is a potential surveillance tool if compromised.

3. The Multi-Platform Reality

BirdCall's evolution from Windows-only to Windows + Android reflects a fundamental shift in surveillance strategy:

2021 (RokRAT era): Target desktop computers 2024-2026 (BirdCall era): Target everything the victim touches

This matters because:

- People use different devices for different activities - Desktop: work, documents, long-form communication - Mobile: personal messages, location data, real-time audio - Compromising both creates a complete surveillance picture

The Android variant's ability to record ambient audio is particularly chilling. It transforms the victim's phone—a device they carry everywhere, trust implicitly, and use for intimate communications—into a constant listening device.

Question: How do you secure a population that is already on the run, with limited resources, against a state-sponsored adversary with unlimited patience and funding?

4. The Cloud C2 Dilemma

BirdCall's use of legitimate cloud services for C2 highlights a structural problem in cybersecurity:

The Good: Cloud services provide incredible value—storage, sync, collaboration, accessibility. The Bad: The same features make them perfect for malicious C2 infrastructure.

Defenders face an impossible choice:

- Block cloud services: Disrupts legitimate business and personal use - Allow cloud services: Enables sophisticated attackers to blend in - Implement behavioral analysis: Expensive, complex, error-prone

There is no technical silver bullet. The only solution is layered defense: network monitoring, endpoint detection, user awareness, and threat intelligence.

5. The Attribution Challenge

ScarCruft is "North Korea-aligned," but what does that mean?

- Are they directly employed by the Reconnaissance General Bureau (RGB)? - Are they a contracted criminal group working on behalf of the state? - Are they ideologically motivated volunteers?

The answer matters for:

- Sanctions: Who do you punish? - Deterrence: What consequences can you impose? - Diplomacy: How do you engage (or not) with North Korea?

But in practice, attribution is often ambiguous. ScarCruft could be any or all of the above. The result is the same: victims are surveilled, intimidated, and potentially harmed.

6. The Ethics of Disclosure

ESET's disclosure of this campaign raises ethical questions:

Arguments for disclosure:

- Warns potential victims (defectors, activists) - Enables security vendors to update detections - Pressures platform operators to improve security - Documents state-sponsored abuse for advocacy

Arguments against (or for delayed) disclosure:

- Alerts attackers that their operation is compromised - Attackers may quickly change infrastructure, making detection harder - Victims may be identified and targeted more aggressively - Platform may be shut down, cutting off a community resource

ESET chose to disclose, likely weighing the benefit of warning vulnerable populations against the risk of tipping off ScarCruft. This is a judgment call with no universally correct answer.

Lessons for Security Teams

1. Monitor Supply Chains, Not Just Perimeters

Traditional security focuses on defending your own network. But supply chain attacks bypass perimeter defenses entirely:

- Inventory all third-party software used by your organization - Monitor vendor security advisories proactively - Implement software allowlisting where feasible - Verify download integrity (hashes, signatures) before installation 2. Assume Cloud Traffic Is Not Innocent

Cloud service usage is ubiquitous, but it's also a primary C2 channel for sophisticated attackers:

- Implement CASB (Cloud Access Security Broker) solutions - Monitor for unusual cloud service usage patterns - Alert on connections to less-common cloud services (Yandex, Zoho, etc.) - Correlate cloud traffic with endpoint behavior 3. Protect Vulnerable User Populations

If your platform serves a specific demographic (ethnic, political, religious), recognize that you may be a target:

- Implement enhanced security monitoring - Conduct regular third-party security audits - Provide security guidance to your users - Have an incident response plan for supply chain compromises 4. Multi-Platform Defense Is Non-Negotiable

Attackers are not choosing between Windows, macOS, Android, or iOS—they're targeting all of them:

- Deploy EDR/XDR across all platforms - Implement mobile device management (MDM) for corporate devices - Monitor for cross-platform attack patterns - Train users on mobile-specific threats (sideloading, suspicious apps) 5. Behavioral Analysis Over Signature Matching

BirdCall's use of machine-specific encryption and multi-stage loading defeats signature-based detection:

- Focus on behavioral indicators (process injection, unusual network connections) - Monitor for anti-analysis techniques (VM detection, sandbox evasion) - Implement memory scanning for in-memory payloads - Use threat hunting to find novel attack patterns

Indicators of Compromise (IOCs)

Malicious URLs - sqgame.com.cn/ybht.apk - sqgame.com.cn/sqybhs.apk C2 Infrastructure (Cloud Services) - Dropbox folders with suspicious file names - pCloud storage with encoded payloads - Yandex Disk links in unexpected contexts - Zoho WorkDrive shares from unknown senders Behavioral Indicators - Ruby/Python scripts downloading additional payloads - Processes checking for analysis tools before executing - Unexpected ambient audio recordings on Android devices - High-volume screenshot capture on corporate devices - Clipboard monitoring without user consent

Timeline

- Late 2024: ScarCruft compromises sqgamenet platform - October 2024: First version of BirdCall Android backdoor appears - November 2024: Trojanized Windows DLL distributed via update package - October 2025: ESET discovers the campaign - May 2026: Public disclosure by ESET and The Hacker News - Ongoing: Trojanized Android APKs still available for download

Conclusion

The ScarCruft campaign against sqgamenet is a stark reminder that cyber espionage is not an abstract threat—it targets real people with real vulnerabilities. North Korean defectors, human rights activists, and academics are not just "targets"; they are individuals who have already risked everything for freedom, only to find that the digital world offers no sanctuary.

BirdCall's evolution from a Windows-only backdoor to a multi-platform surveillance toolkit demonstrates the adaptability and persistence of state-sponsored attackers. The use of legitimate cloud services for C2, the multi-stage infection chain, and the focus on supply chain compromise all reflect a sophisticated threat actor that has learned from past operations and continues to refine its capabilities.

For defenders, the lesson is clear: security cannot be platform-specific, perimeter-focused, or signature-dependent. It must be holistic, behavioral, and rooted in an understanding of who the attackers are targeting—and why.

In the rigged game of state-sponsored cyber espionage, the house always wins—unless we change the rules. And changing the rules requires vigilance, collaboration, and an unwavering commitment to protecting the most vulnerable among us.

Güney Kore’deki Genians Güvenlik Merkezi’nin raporu, Kuzey Koreli siber korsanların geliştirdiği yeni saldırı yönteminin boyutlarını gözler önüne serdi. Hackerlar, kullanıcılar cihaz başında değilken tüm verileri silerek cihazları fabrika ayarlarına döndürüyor. KULLANICI UZAKLAŞINCA DEVREYE GİRİYORLARGüney Kore merkezli Genians Güvenlik Merkezi (GSC), Kuzey Koreli siber korsanların daha önce…

China’s HUGE New Year’s Eve Windows Hack Attack Targets Millennial Democrats.

I’d just like to thank you, China. By including me in yesterday’s massive, personally motivated anti-Windows hack attack, as covered yesterday by Forbes Magazine, you gave me the best present anyone ever has, in this whole ten-year period. Furthermore, you used a Russian ransomware virus, but a variant of it created by yourselves, hinting strongly that you and Russia were in on this…